oss-sec mailing list archives
Re: CVE Request: KDE Pim
From: David Faure <faure () kde org>
Date: Tue, 17 Jul 2012 14:06:40 +0200
On Tuesday 17 July 2012 10:18:06 laurent Montel wrote:
Security problem is that we allows to use javascript. In 4.4 we don't have it.
And here's a testcase for the actual bug. In kmail, Ctrl+O, open this .mbox, click on the HTML version, enable HTML rendering, a javascript messagebox pops up. Not sure what can really be exploited here (xmlhttprequest?), but at least this way one can prove that 4.4 isn't affected, and test the 4.9 fix. -- David Faure, faure () kde org, http://www.davidfaure.fr Sponsored by Nokia to work on KDE, incl. KDE Frameworks 5
Attachment:
html.mbox
Description:
Current thread:
- CVE Request: KDE Pim Marc Deslauriers (Jul 13)
- Re: CVE Request: KDE Pim Kurt Seifried (Jul 13)
- Re: CVE Request: KDE Pim Vincent Danen (Jul 16)
- Re: CVE Request: KDE Pim laurent Montel (Jul 17)
- Re: CVE Request: KDE Pim David Faure (Jul 17)
- Re: CVE Request: KDE Pim Tomas Hoger (Jul 17)
- Re: CVE Request: KDE Pim Vincent Danen (Jul 17)
- Re: CVE Request: KDE Pim Kurt Seifried (Jul 17)
- Re: CVE Request: KDE Pim David Faure (Jul 17)
- Re: CVE Request: KDE Pim Vincent Danen (Jul 16)
- Re: CVE Request: KDE Pim Kurt Seifried (Jul 13)